Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0007 ✕ technique: T1615 ✕
Show ATT&CK heatmapPossible GPO Enumeration Informational Identity Analytics 2 variations
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Group Policy Discovery (T1615)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: LDAP Analytics (Client), LDAP Analytics (Server)Attacker's goals: An attacker is attempting to enumerate Active Directory.Investigative actions: Investigate the LDAP search query for any suspicious indicators. Look for additional LDAP queries the user executed that might be suspicious. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries. Check if the process executes LDAP search queries as part of its normal behavior.Variations
Suspicious GPO Enumeration by an LDAP tool
Medium overridden
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden
Possible GPO Enumeration by a Suspicious Process
Low overridden
A possible GPO enumeration via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden